API tools faq
paste
Advertisement
Racco42

Locky "Scanned image from copier"

Racco42
Jul 28th, 2016
1,722
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.17 KB | None | 0 0
raw download clone embed print report
  1. 2016-07-28 Locky email phishing campaign:
  2.  
  3. Email sample (sender domain is same as recepient's domain):
  4. ------------------------------------------------------------------------------------------------------
  5. From: copier@[REDACTED]
  6. To: [REDACTED]
  7. Subject: Scanned image from copier@[REDACTED]
  8.  
  9. Reply to: copier@[REDACTED] <copier@[REDACTED]> Device Name: copier@[REDACTED] Device Model: MX-2310U
  10.  
  11. File Format: Microsoft Office Word
  12. Resolution: 200dpi x 200dpi
  13.  
  14. Attached file is scanned image in Microsoft Office Word format.
  15. Use Microsoft Office Word to view the document.
  16. ------------------------------------------------------------------------------------------------------
  17. Attachment: copier@[REDACTED]_20160720265770.docm
  18.  
  19. Attached .docm contains downloader which downloads from:
  20.  
  21. http://aminghausen.com/j988765
  22. http://apachost.com/j988765
  23. http://avon-beraterin-mank.de/j988765
  24. http://baldwinhistory.portalstream.net/j988765
  25. http://cukiernia_izabela.republika.pl/j988765
  26. http://dawstaw.cba.pl/j988765
  27. http://dev12.gammat.net/j988765
  28. http://gnetgnethouse.web.fc2.com/j988765
  29. http://gumka.strefa.pl/j988765
  30. http://it4cio.servicos.ws/j988765
  31. http://kreacjonizm.cba.pl/j988765
  32. http://levivanesch.nl/j988765
  33. http://maka.ken-shin.net/j988765
  34. http://mo2radio.web.fc2.com/j988765
  35. http://okhtinka.ru.hoster-ok.com/j988765
  36. http://robertstefan.home.ro/j988765
  37. http://sardain.fr/j988765
  38. http://schefman.info/j988765
  39. http://sonomama.kan-be.com/j988765
  40. http://taityou0615.web.fc2.com/j988765
  41. http://tolearn.tora.ru/j988765
  42. http://whvf2gm5n.homepage.t-online.de/j988765
  43. http://www.aspadeljaen.com/j988765
  44. http://www.axasegurosagenciacadiz.com/j988765
  45. http://www.camelu.com/j988765
  46. http://www.centrometeosiciliano.it/j988765
  47. http://www.flagships.de/j988765
  48. http://www.kan-therm.ru/j988765
  49. http://www.schwarzer-baer-kastl.de/j988765
  50. http://www.sgspeziapallamano.com/j988765
  51. http://www.studiochiarelli.eu/j988765
  52. http://www.uasm.de/j988765
  53.  
  54. Malware: https://www.reverse.it/sample/a7704087cfb711f2542cf7493f496d7b6719d0333db9e5bf5d716bec9531f36d?environmentId=100
  55.  
  56. C2:
  57. 178.62.232.244:80/upload/_dispatch.php
  58. 139.59.147.0:80/upload/_dispatch.php
  59. 193.124.180.6:80/upload/_dispatch.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!